CVE-2026-30587
March 26, 2026, 3:13 p.m.
None
No Score
Description
Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc (sdoc) editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows authenticated remote attackers to inject malicious JavaScript payloads via the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags
Product(s) Impacted
| Vendor | Product | Versions |
|---|---|---|
| Seafile |
|
|
Weaknesses
Common security weaknesses mapped to this vulnerability.
*CPE(s)
Affected systems and software identified for this CVE.
| Type | Vendor | Product | Version | Update | Edition | Language | Software Edition | Target Software | Target Hardware | Other Information |
|---|---|---|---|---|---|---|---|---|---|---|
| a | seafile | seafile_server | 13.0.15 | / | / | / | / | / | / | * |
| a | seafile | seafile_server | 13.0.16-pro | / | / | / | / | / | / | / |
| a | seafile | seafile_server | 12.0.14 | / | / | / | / | / | / | / |
| a | seafile | seafile_server | <13.0.17 | / | / | / | / | / | / | |
| a | seafile | seafile_server | 13.0.17 | / | / | / | / | / | / | / |
| a | seafile | seafile_server | 12.0.20-pro | / | / | / | / | / | / | / |
References
Tags
Timeline
Published: March 25, 2026, 6:16 p.m.
Last Modified: March 26, 2026, 3:13 p.m.
Last Modified: March 26, 2026, 3:13 p.m.
Status : Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.